i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with [email protected] or similar.
The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.
And yes, all of those emails contain the actual PII of the person who has been 'deleted' :-D
Up to about 24 different orgs now, overnight had some emails containing PII of 'deleted' users from a:
UAE based Gym Chain
South African HR Platform
EU based Hotel Reservations Platform
India based Delivery Service
and best of all
US based Antivirus Manufacturer and Cybersecurity Provider
I wrote up this cursed discovery with more details:
https://mike-sheward.medium.com/deleteduser-com-a-15-pii-magnet-c4396eb21061
Couple of new additions today to the internet dumpster:
- Some internal system at one of the worlds largest and most recognizable consumer electronics manufacturer is telling deleteduser.com all about approved purchase orders, including direct links to the orders, and the names of all the people who are involved.
- More gyms, very common.
- Some platform used to offer temporary shifts to healthcare workers asked a nurse at deleteduser.com if they were available to urgently cover a shift at a South African healthcare facility.
I added 5 variations on this domain (not going to say what they are just yet to not interfere with the results) and in the first 20 minutes I have 3 more orgs all sending PII to these addresses for now deleted users.
Includes a managed IT services provider in Malaysia's ticketing system which includes the full content of the ticket - system names, IP's etc.
Haven’t done this because I’m an ethical sausage, but I do wonder - how many of these sites would happily send a password reset link to [email protected], and after resetting the password, how much order history/other PII and the like would be there?
I’d guess between 98-100% of them.
ok, curiosity won and I tried it on a couple
yes, they all willingly sent the password reset link to the domain
yes, they let me reset the password
no, they didn’t have mfa
yes, they let me log in to the “deleted” accounts
yes, i saw order histories, names, dob’s, last four of credit cards
yes, i disclosed to the security contacts i could find at the companies
yes, one of them was the viagra place
one org got back to me and said, 'yeah we effed up - and are fixing'
I was thinking of that scene in the bart falls down the well episode of the simpsons where at the end they say, 'and now to make sure nobody ever falls down this well again', followed by them putting up a small sign that says 'caution: well'.
I bet they'll run something like:
UPDATE users
SET email = REPLACE(email, '@deleteduser.com', '@deleteduser2.com')
WHERE email LIKE '%@deleteduser.com';
So no one ever falls down the well again.
Another good one - a European country's licensing authority for construction workers sends an email to deleteduser.com each time an employee is added to, presumably, the "deleted" users former company.
That email includes the name, trade and license info of the person being added, alongside the PII of the "deleted" user.
Adding an EU based dating app, using deleteduser.com for their deleted user - but not appearing to delete/overwrite any of the other fields.
I guess this from their Google Play listing is technically accurate. "You may request, but what what happen is we'll update your email address."
Australia, if you thought you were immune, I have bad news:
Just got emails from some construction management app based down under.
Special shout out to their footer:
"This email has been sent to Paul of Deleted Company."
oh and yes it turns out owning internaluser.com and service-account.com is a truly incredible way to get access to notifications and logs from various corporate systems. they just email them right to ya.
sadly, serviceaccount.com is taken.
@FritzAdalis @SecureOwl @Viss It should be 4% of the global annual revenue, and given that Vatican has been violating it ever since GDPR kicked in I sincerely hope so. Sadly, the national data protection agency of my country of origin doesn't care, and I couldn't find any EU body I could actually escalate to (I checked like 5 of them).
(Yes I am aware that Vatican is not a state, just pretends to be one but many are buying into it.)
@rhelune
AFAIR in Poland there is an exception for religious orgs in our implementation of GDPR (if not generally in GDPR).
And you may now interpolate which religious org holds the most SPI.
@[email protected] @[email protected] @[email protected] Regarding the religious tax, I've been trying to get erased from the records of the Roman Catholic church in Croatia ever since the GDPR kicked in. I asked Croatian data protection authority to investigate. They told me that by the Canon law (Catholic Sharia) I would have to send an "Actus defectionis ab Ecclesiae Catholicae", so I sent both the GDPR erasure request and the Actus defectionis, both notarised, to the parish and to the bishop's office, before I left the country. They received it, I have the certificates of reception, but no response. I asked the data protection authority to investigate again. No response. I asked them to confirm that they have received my complaint and they confirmed it. Asked them a year later what they had done, no response. (My lifestyle consists of multiple grounds for excommunication.) So I just said "no religion" in Germany and I am paying no church tax. I even thought about asking data protection authority in Germany to help me get erased from records in Croatia, but it seems like they let the Roman Catholic church have their own authority 😳 #datenschutz #dataProtection #catholic #church
@rhelune
Hellhole buddies! ^_^
(I'm returning to mine in two weeks.)
I can only offer you anecdotes that Poles who were too skimpy to pay the church tax in DE found themselves kicked out of the RCC back at home.
@SecureOwl it appears that deleted.fail is available
yes, .fail is apparently a TLD.
yes, null.fail is taken
@SecureOwl Fine today, but tomorrow? So I made a rule to let me know if the SEG sends out to *deleted* and similar domains.
You’d think a SEG/Microsoft/Google might, like, make this a feature. Been thinking about using @ifin and Fedi to share blatantly obvious ER/FR #s to dog pile.
And fine, I’ll include AI somewhere so they care.
@SecureOwl If you want to do this, which you shouldn't, you could just use an invalid DNS label in there.
Commonly used are labels with leading underscores.
So renaming [email protected] to foo@_deleted.bar.org would already be a huge improvement.
Not really what "deleted" means, mind you.
@SecureOwl Jesus Christ. Brilliant and depressing as fuck investigation wrapped in a bacon-flavored cluster fuck.
Do people just not know about the many top-level domains that exist that are guaranteed to not exist? I mean it's still an anti-pattern, but at least you are guaranteed THIS scenario won't bite you in the ass.
@matthewskelton @lerxst @SecureOwl
@ds posted regarding this
https://infosec.exchange/@ds/116422511891576419
@[email protected] hmm having just read some of the relevant RFC (https://www.rfc-editor.org/rfc/rfc6761) the "example" domains are treated differently to e.g. the test domains, in that dns servers "should" try to resolve example domains normally, whereas dns servers should (unless configured otherwise) instantly return negative responses for .test domains. It probably doesn't make a difference to your use case but just an interesting point of distinction (and at the very least my guess that they would have the same behavior was wrong!)
@matthewskelton @SecureOwl If you're not going to blank out the email field, something like "@dontdeliver.test" is probably better (the "test' TLD is IETF reserved to never be a TLD, along with a few others). Still an anti-pattern. If you're going to delete a record by a "marked delete" idea, it's best to have a field defined as such and give production a view to the tables that only show records that aren't.
example.com is actually live, though I don't believe they accept email.
@SecureOwl if vendor has a bug bounty, that’s cracks the door a bit. Join it.
If someone else (anon, vpn’d) triggers a pwd reset knowing only host and username, you’d be indemnified a bit more.
It feels like a notable issue, worthy of testing.
@jackeric hmm having just read some of the relevant RFC (https://www.rfc-editor.org/rfc/rfc6761) the "example" domains are treated differently to e.g. the test domains, in that dns servers "should" try to resolve example domains normally, whereas dns servers should (unless configured otherwise) instantly return negative responses for .test domains.
It probably doesn't make a difference to your use case but just an interesting point of distinction (and at the very least my guess that they would have the same behavior was wrong!)
@RnDanger @SecureOwl Yeah that’s my question(s). Why would someone “delete” users this way? How can you not tell you’re sending craploads of mail?
Something strange is afoot at the Circle K, man.
Mike Sheward
Crashdoom 
🔧 
B'ad Samurai 
Skyglobe
Fritz Adalis
Enola Knezevic
Dźwiedziu
ɹ uɐp 
Joe ❌👑
RevK 
⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️
Lunar 🛸 ♾
MostlyBlindGamer
Jens Finkhäuser
Christian Waidner
Ludwig Vielfrass
Matthew Skelton
Claudius Link
tkissing
Tomas Ekeli
Leeloo
D2
jack
ds
Kore Artemis (A-314) 
andymalo
2xfo
ruffin
Hashbangperl
Vive Levant
The Essence of Woerm Sin